An authentication is simply the validating of a credential. It is an important step in the process of performing any sort of secure network access control. When thinking about authentication, it often helps to relate the topic to something that occurs within your day-to-day life
Consider when a highway patrol officer has a driver pull his car over to the side of the road. The officer will walk up to the driver’s window and ask for his driver’s license and proof of insurance (at least that is what happens in the United States). The driver will hopefully hand over these documents for the officer to inspect.
The officer should examine the driver’s license and determine whether it appears to be real. The hologram and watermarks in the driver’s license are there, so it appears to be real. The picture on the license looks like the driver who handed over the license. The license hasn’t expired. After going back to the squad car, the officer will perform a lookup into the Department of Motor Vehicles database to determine whether the license has been suspended.
All checks have passed. This is a valid ID. The “authentication” was successful.
Authentication policies have a few goals. They drop traffic that isn’t allowed and prevent it from taking up any more processing power (the officer would immediately reject a library card because that is not an allowed form of ID for a driver). The policy will route authentication requests to the correct identity store (North Carolina DMV, or New York DMV, and so on and so on); validate the identity (was this a valid license for that driver); and finally “pass” successful authentications over to the authorization policy (was the driver allowed to exceed the speed limit and run other drivers off the road).
When thinking about authentication for network access, it often helps to relate the topic to an example such as this one, where it is something that occurs within your day-to-day life. Typically, the goals are similar, and it helps to understand the difference between authentication and authorization.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 10-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”
Table 10-1 “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section |
Questions |
Describe Identity Store Options |
6 |
Implement Wired/Wireless 802.1X |
6-7 |
AV Pairs |
7-8 |
EAP Types |
2 |
Implement MAB |
1, 4 |
Describe the MAB Process Within an 802.1X Framework |
1 |
ISE Authentication/Authorization Policies |
3, 5, 9-10 |
Which of the following is required to perform MAB from a Cisco network device?
- The RADIUS packet must have the service-type set to login and the called-station-id populated with the MAC address of the endpoint.
- The RADIUS packet must have the service-type set to Call-Check and the calling-station-id populated with the MAC address of the endpoint.
- The RADIUS packet must have the service-type set to Call-Check and the called-station-id populated with the MAC address of the endpoint
- The RADIUS packet must have the service-type set to login and the calling-station-id populated with the MAC address of the endpoint
Which EAP type is capable of performing EAP chaining?
- PEAP
- EAP-FAST
- EAP-TLS
- EAP-MD5
Which of the following choices are purposes of an authentication policy?
- To permit or deny access to the network based on the incoming authentication request
- To apply access control filters, such as dACL or security group tags (SGTs), to the network device to limit traffic
- To drop requests using an incorrect authentication method, route authentication requests to the correct identity store, validate the identity, and “pass” successful authentications over to the authorization policy
- To terminate encrypted tunnels for purposes of remote access into the network
True or False? You must select Detect PAP as Host Lookup to enable MAB requests for Cisco nNetwork devices.
- True
- False
True or False? Policy conditions from attribute dictionaries can be saved as conditions inline while building authentication policies.
- True
- False
Which method will work effectively to allow a different Identity store to be selected for each EAP type used?
- This is not possible because the first rule to match 802.1X will be used and no further rules can be used.
- Create one authentication rule that matches a service type framed for each of the EAP protocols. Each authentication rule should have one subrule that matches the EapAuthentication (such as EAP-TLS, EAP-FAST, and so on).
- This is only possible for the main EAP types. If there is an inner method of EAP-MSCHAPv2 with PEAP, it must be sent to the same identity store as the EAP-MSCHAPv2 inner method of EAP-FAST.
- Create one sub-rule for each EAP type under the default 802.1X authentication rule that points to the appropriate identity store per rule.
Which RADIUS attribute is used to match the SSID?
- calling-station-ID
- source-wireless-SSID
- framed-station-ID
- called-station-ID
Which RADIUS attribute contains the MAC address of the endpoint?
- calling-station-ID
- source-wireless-SSID
- framed-station-ID
- called-station-ID
What is the purpose of the continue option of an authentication rule?
- The continue option is used to send an authentication down the list of rules in an authentication policy until there is a match.
- The continue option sends an authentication to the next sub-rule within the same authentication rule.
- The continue option is used to send an authentication to the authorization policy, even if the authentication was not successful.
- The continue option will send an authentication to the selected identity store.
True or False? The Drop option for an authentication rule will allow ISE to act as if it were not “alive” so the network device will no longer send authentication requests to that ISE server.
- True
- False